https://bugs.kde.org/show_bug.cgi?id=519995
[email protected] changed: What |Removed |Added ---------------------------------------------------------------------------- Resolution|BACKTRACE |--- Status|NEEDSINFO |REPORTED --- Comment #5 from [email protected] --- (In reply to apuebla from comment #4) > (In reply to Harald Sitter from comment #2) > > . > > UPDATE: kmtpd.so / kiod6: sized deallocation mismatch (undefined behavior) > aborts on hardened_malloc > > System: Fedora 44 with KDE Plasma 26.04.2, KIO 6.27.0, Qt 6.11.1, kio-extras > 26.04.2 > > Problem: Dolphin hangs indefinitely when opening an Android phone via MTP. > > Investigation: The org.kde.kmtpd5 D-Bus service (provided by kiod6 loading > kmtpd.so) crashes with SIGABRT in a loop. Dolphin's KIO workers then hang in > KIO::ConnectionBackend::waitForIncomingTask with ms=-1 (infinite timeout), > waiting on a socket for kmtpd5 that never responds. > > Root cause: kmtpd.so triggers a sized deallocation mismatch (small) -- > undefined behavior in C++ memory management. This is caught by > hardened_malloc (used by secureblue, GrapheneOS, and others) which correctly > aborts. glibc's malloc silently tolerates the same bug. > > Journal evidence: > <pre> > kiod6[PID]: fatal allocator error: sized deallocation mismatch (small) > dbus-:[email protected]: Main process exited, code=dumped, > status=6/ABRT > </pre> > > Dependencies verified: kio-extras 26.04.2, libmtp 1.1.22, kmtpd.so and > mtp.so plugins present. No SELinux denials related to MTP. > > Why this matters: This is not a distro-specific issue. It is undefined > behavior that could cause silent memory corruption, use-after-free, or heap > metadata corruption on standard glibc systems. The hardened allocator is > simply exposing a bug that already exists. > > Workaround: Running kiod6 with LD_PRELOAD= (disabling the hardened > allocator) prevents the abort and allows MTP to function normally. > > Reproduction: I can reproduce this consistently on a system with > hardened_malloc enabled. I am happy to test patches or provide additional > diagnostics. > > Suggested fix: Audit kmtpd.so and its libmtp interaction for mismatched > new/delete, malloc/free, or operator delete with incorrect size parameters. -- You are receiving this mail because: You are watching all bug changes.
